dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1254
share rss forum feed


camper
Premium
join:2010-03-21
Bethel, CT
kudos:1
Reviews:
·Comcast

Odd log message

My firewall / router has recently been logging a lot of IPv6 router advertisement records coming from the network interface connected to the cable modem.

For example:
Mar 23 15:33:29 firewall rtadvd[21401]: received RA from fe80::1edf:fff:fe02:28e2 on non-advertising interface(em0)

Mar 23 15:33:32 firewall rtadvd[21401]: received RA from fe80::1edf:fff:fe02:28e2 on non-advertising interface(em0)

Mar 23 15:33:35 firewall rtadvd[21401]: received RA from fe80::1edf:fff:fe02:28e2 on non-advertising interface(em0)

Mar 23 15:33:38 firewall rtadvd[21401]: received RA from fe80::1edf:fff:fe02:28e2 on non-advertising interface(em0)

Mar 23 15:33:41 firewall rtadvd[21401]: received RA from fe80::1edf:fff:fe02:28e2 on non-advertising interface(em0)

Mar 23 15:33:53 firewall last message repeated 4 times

Mar 23 15:33:56 firewall rtadvd[21401]: received RA from fe80::1edf:fff:fe02:28e2 on non-advertising interface(em0)

Mar 23 15:33:59 firewall rtadvd[21401]: received RA from fe80::1edf:fff:fe02:28e2 on non-advertising interface(em0)

Mar 23 15:34:02 firewall rtadvd[21401]: received RA from fe80::1edf:fff:fe02:28e2 on non-advertising interface(em0)

Mar 23 15:34:35 firewall last message repeated 11 times

Mar 23 15:35:38 firewall last message repeated 21 times

Mar 23 15:35:41 firewall rtadvd[21401]: received RA from fe80::1edf:fff:fe02:28e2 on non-advertising interface(em0)

Mar 23 15:37:05 firewall rtadvd[4691]: received RA from fe80::1edf:fff:fe02:28e2 on non-advertising interface(em0)

It looks like every three seconds, 24/7.

Any idea what it might be?


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2
Reviews:
·Comcast
I get the same thing flooding my log, making it essentially useless. It has always done this ever since I activated IPv6. My "last message repeated times" runs 150-180.

I have no idea why it does this and the support forum for the firewall has not helped.

My router is a m0n0wall, what is yours? m0n0wall or pfsense or ?

MisterP

join:2012-10-11
US

4 edits
*Edit* I believe I found what it is: It is an Internet Control Message Protocol version 6 (ICMPv6) "Router Advertisement" packet

rtadvd is the RouTerADVertisementDaemon

From the Neighbor Discovery Protocol Wikipedia entry:

1.Router Solicitation - used by hosts to locate routers on an attached link.[Definitions 1] Nodes which forward packets not addressed to them generate Router Advertisements immediately upon receipt of this message rather than at their next scheduled time.
2.Router Advertisement - used by routers to advertise their presence together with various link and Internet parameters either periodically, or in response to a Router Solicitation message

You're on your own after that heh. Took me a bit to find that and I'm tired.


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2
Thanks, but I already know what they are.

What I don't understand is why they are flooding my log and what I can do to get it stopped or ignored without logging.


camper
Premium
join:2010-03-21
Bethel, CT
kudos:1
reply to MisterP
Thanks, I know what the rtadvd packet is, as I run rtadvd for my internal network to mete out IPv6 addresses.

I just don't know why I am seeing those packets coming in from the cable modem.


camper
Premium
join:2010-03-21
Bethel, CT
kudos:1
Reviews:
·Comcast
reply to graysonf
said by graysonf:

I get the same thing flooding my log, making it essentially useless. It has always done this ever since I activated IPv6. My "last message repeated times" runs 150-180.

 

I've also seen the "repeated times" run upwards to 200 times. I figured the ones I copied to the post would be sufficient.

I am running OpenBSD 5.2 as the firewall / router.

I am left wondering if a neighbor is sending out the router advertisements over his cable modem to everyone in the neighborhood? {shrug}

I even went as far as connecting a notebook running OpenBSD to the cable modem directly. The notebook is configured to accept rtadvd messages and configure its IPv6 address. However, the notebook did not receive an IPv6 address.

I am left to wonder why I am receiving those packets from Comcast's cable modem.....


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2
Mine look like this:

rtadvd[214]: received RA from fe80::201:5cff:fe22:c9c1 on non-advertising interface(fxp1)

fe80::201:5cff:fe22:c9c1 listed by the firewall as my WAN IPv6 gateway address.


camper
Premium
join:2010-03-21
Bethel, CT
kudos:1
Reviews:
·Comcast
My WAN IPv6 gateway has a 2001:470:... tunnel broker prefix. I don't see any host in the routing table with the fe80::1edf:fff:fe02:28e2 IP address.

btw, here's the log since midnight: (looks like a hit every three seconds)

Mar 24 00:03:04 firewall rtadvd[30037]: received RA from fe80::1edf:fff:fe02:28e2 on non-advertising interface(em0)
Mar 24 00:03:34 firewall last message repeated 10 times
Mar 24 00:05:34 firewall last message repeated 40 times
Mar 24 00:15:35 firewall last message repeated 200 times
Mar 24 00:25:36 firewall last message repeated 200 times
Mar 24 00:35:34 firewall last message repeated 199 times
Mar 24 00:45:35 firewall last message repeated 200 times
Mar 24 00:55:37 firewall last message repeated 200 times
Mar 24 01:05:38 firewall last message repeated 200 times
Mar 24 01:15:36 firewall last message repeated 199 times
Mar 24 01:25:37 firewall last message repeated 200 times
Mar 24 01:35:38 firewall last message repeated 200 times
Mar 24 01:45:36 firewall last message repeated 199 times
Mar 24 01:55:37 firewall last message repeated 200 times
Mar 24 02:05:38 firewall last message repeated 200 times
Mar 24 02:15:39 firewall last message repeated 200 times
Mar 24 02:25:37 firewall last message repeated 199 times
Mar 24 02:35:38 firewall last message repeated 200 times
Mar 24 02:45:39 firewall last message repeated 200 times
Mar 24 02:55:40 firewall last message repeated 200 times
Mar 24 03:05:38 firewall last message repeated 199 times
Mar 24 03:15:39 firewall last message repeated 200 times
Mar 24 03:25:40 firewall last message repeated 200 times
Mar 24 03:35:38 firewall last message repeated 199 times
Mar 24 03:45:39 firewall last message repeated 200 times
Mar 24 03:55:40 firewall last message repeated 200 times
Mar 24 04:05:42 firewall last message repeated 200 times
Mar 24 04:15:40 firewall last message repeated 199 times
Mar 24 04:25:41 firewall last message repeated 200 times
Mar 24 04:35:42 firewall last message repeated 200 times
Mar 24 04:45:40 firewall last message repeated 199 times
Mar 24 04:55:41 firewall last message repeated 200 times
Mar 24 05:05:42 firewall last message repeated 200 times
Mar 24 05:15:43 firewall last message repeated 200 times
Mar 24 05:25:41 firewall last message repeated 199 times
Mar 24 05:35:42 firewall last message repeated 200 times
Mar 24 05:45:43 firewall last message repeated 200 times
Mar 24 05:55:41 firewall last message repeated 199 times
Mar 24 06:05:42 firewall last message repeated 200 times
Mar 24 06:15:43 firewall last message repeated 200 times
Mar 24 06:25:44 firewall last message repeated 200 times
Mar 24 06:35:42 firewall last message repeated 199 times
Mar 24 06:45:43 firewall last message repeated 200 times
Mar 24 06:55:44 firewall last message repeated 200 times
Mar 24 07:05:46 firewall last message repeated 200 times
Mar 24 07:15:44 firewall last message repeated 199 times
Mar 24 11:32:20 firewall last message repeated 200 times
Mar 24 11:42:21 firewall last message repeated 200 times
Mar 24 11:52:19 firewall last message repeated 199 times
Mar 24 12:02:20 firewall last message repeated 200 times
Mar 24 12:08:27 firewall last message repeated 122 times


camper
Premium
join:2010-03-21
Bethel, CT
kudos:1
Reviews:
·Comcast
reply to camper
I have logs going back to midnight March 17, 2013. The following is the first occurrence that I see in the logs:

Mar 20 12:00:59 firewall rtadvd[6348]: received RA from fe80::1edf:fff:fe02:28e2 on non-advertising interface(em0)


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2
Reviews:
·Comcast
reply to camper
fe80::1edf:fff:fe02:28e2 is a local link address somewhere.

I don't see the offending address in my routing table either.

Have you tried asking on any of the NetBSD mail lists or forums?

Also, I think that if you are seeing this stuff you could probably be using Comcast native IPv6. Have you tried it yet or do you just prefer an HE tunnel?


camper
Premium
join:2010-03-21
Bethel, CT
kudos:1
Reviews:
·Comcast

1 recommendation

Every few days, I fire up dhclient6 to see if I can get a prefix delegation, but no luck. That was my first thought, that Comcast was starting to enable IPv6 here.

I'd prefer to move over to Comcast native IPv6 when it becomes available. The he.net tunnel has been good to me, quite fast (faster and more reliable than Comcast's IPv4 when watching youtube videos), and I can't argue about the cost. But it is a layer of distraction compared to native Comcast IPv6.


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2
Are you sure you really can't get native IPv6? I thought they were very well along rolling it out by now.


camper
Premium
join:2010-03-21
Bethel, CT
kudos:1
Reviews:
·Comcast

1 recommendation

Am I sure? no. Am I fairly sure? yes.

(unless you count a toredo (or is it a 6to4) tunnel that I get when I connect a Windows XP notebook directly to the cable modem.)

I've not heard of anyone who has IPv6 in this area yet.

I checked a little while ago, still no response to dhclient6 requests for PD, and those rtadvd packets do not result in an IPv6 address.


camper
Premium
join:2010-03-21
Bethel, CT
kudos:1
Just as suddenly as they started, the rtadvd packets have stopped at 14:26 this afternoon.

No entries in the log since then. {shrug}


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2

1 recommendation

I wish that were true here. I'd be willing to bet that once you are native IPv6 they will return.


NetDog
Premium,VIP
join:2002-03-04
Parker, CO
kudos:80
reply to camper
Send me your HFC (RF) cable modem mac, I would like to take a look at the CMTS that services your area.. Most likely they are enabling interfaces for v6. Once they apply the config your going to see RA's but the DHCPv6 server isn't giving out v6 till we are ready.


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2
Is there anything Comcast is doing that is causing these messages to flood my log?

This is the second BSD based firewall that is reporting this so I know it isn't just me.


NetDog
Premium,VIP
join:2002-03-04
Parker, CO
kudos:80

1 recommendation

said by graysonf:

Is there anything Comcast is doing that is causing these messages to flood my log?

This is the second BSD based firewall that is reporting this so I know it isn't just me.

Nope RA's are normal for v6, we aren't changing anything out of the norm.. I would question why they are logging the events, is the debug level high on it?


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2

1 recommendation

The logging level is not user settable.

The gist of the problem appears to me to be that RAs are arriving on an interface (WAN) that are unable to make use of them (non-advertising interface), thus triggering the log event.


camper
Premium
join:2010-03-21
Bethel, CT
kudos:1
Reviews:
·Comcast

1 recommendation

said by graysonf:

The logging level is not user settable...

 

I went into the source and commented out the line that does the logging.


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2
LOL.

I disabled IPv6 for now. It's not like I had to have it.


camper
Premium
join:2010-03-21
Bethel, CT
kudos:1
 
I just checked OpenBSD's version control system, and that logging line has been in rtadvd since it was imported from the KAME project in 1999.


NetDog
Premium,VIP
join:2002-03-04
Parker, CO
kudos:80
reply to camper
camper, I will take a look at the CMTS that services your area in the AM.. If I see something odd I will PM you..


camper
Premium
join:2010-03-21
Bethel, CT
kudos:1
thx.


camper
Premium
join:2010-03-21
Bethel, CT
kudos:1
Reviews:
·Comcast
reply to graysonf
said by graysonf:

fe80::1edf:fff:fe02:28e2 is a local link address somewhere.

I don't see the offending address in my routing table either....

 
When I set net.inet6.ip6.accept_rtadv=1 in /etc/sysctl.conf, I see the following entry in the routing table:

Destination                        Gateway                        Flags   Refs      Use   Mtu  Prio Iface Label
fe80::1edf:fff:fe02:28e2%em0       1c:df:0f:02:28:e2              UHLc       0        0     -     4 em0  


So the rtavd message is inserting a route into the routing table here. Which, btw, is not surprising. This is the way things should work.


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2
Reviews:
·Comcast
said by camper:

So the rtavd message is inserting a route into the routing table here. Which, btw, is not surprising. This is the way things should work.

How does this explain the log flooding and how can I get it stopped?


camper
Premium
join:2010-03-21
Bethel, CT
kudos:1
Reviews:
·Comcast
My opinion on the log flooding is that the OS is logging things that it should not be logging.

From the source code of rtadvd on OpenBSD:


        /*
         * RA consistency check according to RFC-2461 6.2.7
         */
        if ((rai = if_indextorainfo(pi->ipi6_ifindex)) == 0) {
                log_info("received RA from %s on non-advertising interface(%s)",
                    inet_ntop(AF_INET6, &from->sin6_addr, ntopbuf,
                        INET6_ADDRSTRLEN),
                    if_indextoname(pi->ipi6_ifindex, ifnamebuf));
                goto done;
        }



If you look at the RFC specified (RFC-2461, ¶ 6.2.7), it appears to me that it is talking about the contents of RA packets, not whether or not those packets appear on an interface. So, imo, the logging of the packets is overly aggressive.

As I mentioned in an earlier message, that piece of code goes back to the original KAME project. The code may have never been touched because, until recently, there not has been a major ISP that is providing dual-stack IPv6 capability.


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2
Thanks for the info on this. I will pass it onto the m0n0wall developers.


NetDog
Premium,VIP
join:2002-03-04
Parker, CO
kudos:80
reply to camper
said by camper:

My opinion on the log flooding is that the OS is logging things that it should not be logging.

If you look at the RFC specified (RFC-2461, ¶ 6.2.7), it appears to me that it is talking about the contents of RA packets, not whether or not those packets appear on an interface. So, imo, the logging of the packets is overly aggressive.

+1, I agree..
--
Comcaster.. Network Engineer with NETO